|
| 1 | +--- |
| 2 | +# required metadata |
| 3 | +title: Overview of security concepts in Windows 365 |
| 4 | +titleSuffix: |
| 5 | +description: Learn about security concepts in Windows 365. |
| 6 | +keywords: |
| 7 | +author: ErikjeMS |
| 8 | +ms.author: erikje |
| 9 | +manager: dougeby |
| 10 | +ms.date: 07/20/2022 |
| 11 | +ms.topic: overview |
| 12 | +ms.service: cloudpc |
| 13 | +ms.subservice: |
| 14 | +ms.localizationpriority: high |
| 15 | +ms.technology: |
| 16 | +ms.assetid: |
| 17 | + |
| 18 | +# optional metadata |
| 19 | + |
| 20 | +#ROBOTS: |
| 21 | +#audience: |
| 22 | + |
| 23 | +ms.reviewer: chrimo |
| 24 | +ms.suite: ems |
| 25 | +search.appverid: |
| 26 | +#ms.tgt_pltfrm: |
| 27 | +ms.custom: intune-azure; get-started |
| 28 | +ms.collection: M365-identity-device-management |
| 29 | +--- |
| 30 | + |
| 31 | +# Windows 365 security |
| 32 | + |
| 33 | +<< introduction >> |
| 34 | + |
| 35 | +## Secure Cloud PC access |
| 36 | + |
| 37 | +The first security boundary to protect is access to the Cloud PC through the Windows 365 service. |
| 38 | + |
| 39 | +## Secure Cloud PC devices |
| 40 | + |
| 41 | +After securing access to Cloud PCs, the next security boundary is the Cloud PC, aka Windows device, itself. |
| 42 | + |
| 43 | +### Security features enabled by default |
| 44 | + |
| 45 | +All new Cloud PCs have the following security components enabled by default: |
| 46 | + |
| 47 | +- **vTPM**: Short for virtual Trusted Platform Module, a vTPM provides Cloud PCs their own dedicate TPM instance that acts as a secure vault for keys and measurements. For more information, see [vTPM](/azure/virtual-machines/trusted-launch#vtpm). |
| 48 | +- **Secure Boot**: Secure Boot is a feature that will prevent the Windows operating system from booting if untrusted rootkits or boot kits are installed on the machine. For more information, see [secure boot](/azure/virtual-machines/trusted-launch#secure-boot). |
| 49 | + |
| 50 | +With both security components enabled, Windows 365 supports enabling the following Windows security features: |
| 51 | + |
| 52 | +- Hypervisor Code Integrity (HVCI) |
| 53 | +- [Microsoft Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage) |
| 54 | + |
| 55 | +### Security features requiring specific Cloud PC SKUs or configuration |
| 56 | + |
| 57 | +The following security components are enabled by default on specific Cloud PC SKUs or configurations: |
| 58 | + |
| 59 | +- **Virtualization-based workloads** |
| 60 | + - **Description**: Virtualization-based workloads typically require the Windows device to enable the Hyper-V feature and run the workloads in an isolated space, to protect the Windows OS from any security threats. |
| 61 | + - **Security features supported**: |
| 62 | + - [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) |
| 63 | + - [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) |
| 64 | + - **Required configuration**: Cloud PC must have 8 vCPU and 32 GB RAM. See [set up virtualization-based workloads support](nested-virtualization) for more information. |
| 65 | + |
| 66 | +## Secure Cloud PC data |
0 commit comments